Binding lxd network to a vpn interface


I’d like to setup an LXD network for LXD containers such that all of its outgoing traffic is routed to an interface on the host system which is a Layer3 VPN. If this interface is down, no traffic should get out of the containers. I basically want to “seal” some containers under a VPN.

I tried a few things, for example creating a secondary bridge with:

lxc network create lxdvpn ipv4.address=none ipv6.address=none

but traffic still manages to get to the Internet, even if the lxdvpn interface does not have an IP address on the host system! Apparently traffic is routed to lxdbr0 and then to the default route. Do you have any hint?


Hmm, that part doesn’t make much sense, if the container was actually connected to the lxdvpn bridge, then it shouldn’t get any traffic through. You may want to check with ip link and lxc config show --expanded NAME to see what your containers are connected to.

As for what you want, it should be possible, your best bet is to run a normal LXD bridge, including DHCP and all, then have a firewall script on the host which sets up an alternate routing table only containing a default gateway through your VPN and then put an early ip rule in place so that any traffic coming from your bridge is sent through that table rather than the default routing table.